The Internet of Things has the potential to transform many fields, including home automation, medicine, and transportation. It will connect more things and more people to the Internet, and ultimately, connect more people with each other. Our devices will know, more than ever, who we are, what we pay, what we sign up for, or with whom we interact. As a result, one of the significant issues raised by the Internet of Things is consumer privacy and data security.
Because interconnected devices and services often collect and share large amounts of personal information, companies offering products as part of the Internet of Things must ensure that they safeguard the privacy and security of users. Policymakers and members of the technology community must also be sensitive to consumer privacy and data security issues.
The recent Federal Trade Commission action against TRENDnet provides a vivid example of the potential mishaps that can occur when proper privacy and security measures are missing. TRENDnet sold its Internet-connected SecurView cameras for purposes ranging from home security to baby monitoring. Defective software allowed unfettered online viewing and in some instances listening, by anyone with the camera’s IP address. As a result, hackers posted live feeds of nearly 700 consumer cameras on the Internet, showing activities such as babies asleep in their cribs and adults going about their daily lives. In addition, TRENDnet transmitted user login credentials in clear, readable text over the Internet.
The Federal Trade Commission charged that TRENDnet’s lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet and found that TRENDnet’s practices were deceptive and unfair. Among other things, the settlement requires TRENDnet to establish a comprehensive information security program and to obtain third-party assessments of its security programs every two years for the next 20 years. TRENDnet must also notify customers about the security issues with the cameras and the availability of the software update to correct them, and provide free technical support for the next two years to assist customers in updating or uninstalling their cameras.
Mobile devices and wearable devices play an important role in the Internet of Things, as well. They collect, analyze, and share information about users and their environment, such as their current location, travel pattern, speed, or the noise levels in their surroundings. They allow users to connect with each other in all sorts of settings, and share – knowingly, or not – a wide variety of information among themselves and with the service provider.
Mobile app providers have an obligation to inform their customers about their collection and use. This is specifically required by the California Online Privacy Protection Act. The Federal Trade Commission agrees, as well. In February 2013, the Federal Trade Commission investigated the practices of Path, a social network that allows users to keep journals about moments in their life and share them with up to 150 friends.
In its complaint against Path, the FTC identified circumstances where Path deceived users by collecting personal information, such as information from their address books, without the users’ knowledge or consent. The FTC concluded that the collection of personal information from a mobile phone without disclosure or permission may be a deceptive or unfair practice under the FTC Act. The final consent decree requires Path to establish a comprehensive privacy program and obtain independent privacy assessments every other year for the next 20 years. Path will also have to pay a fine of U.S. $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent.
This case has obvious implications for other Internet-connected devices that collect personal information about users. Such technologies should include some way to notify users and obtain their permission. This raises questions of how businesses should convey, on the small phone screen, information about what data, sometimes of a highly sensitive nature, these devices and apps collect, use, and share.
Providing notice to consumers may be complicated in the case of devices with a limited or no user interface. Activity trackers have only very basic user interfaces on the device itself. Smart light bulbs may not have any consumer-facing user interface. Similar issues arise with wearable devices, such as smart watches, wristbands or glasses. Addressing consumers’ privacy concerns over such devices will present business, engineering, and policy challenges that will require constant innovation.
The Internet has evolved to one of the most dynamic forces in the global economy. It is reshaping entire industries and changing the way we interact on a personal level. The Internet of Things promises even greater progress, but raises significant information privacy and security issues.